Skillset

Introduction

Many critics of the Open Web Application Security Project (OWASP) Top Ten list view insufficient logging and monitoring, new on the list in 2017, as more of a best practice guide for defending a web application than an actual vulnerability. The argument goes logging and monitoring are basic pillars of a modern secure system. In other words, you should implement stringent logging and monitoring procedures. For others, because attacks often take so long to be identified, the real surprise is that insufficient logging and monitoring hasn’t made the list before.

In terms of risk, OWASP ranks the opportunity for attacks based on this vulnerability “medium,” prevalence “high” and detectability “low.” Impact is listed as somewhat difficult to define, mainly because of the nature of how attacks are initiated. Most successful attacks start with vulnerability probing. Allowing such probes to continue (by not detecting them through logging and monitoring) can raise the likelihood of an exploit to be successful by nearly 100%.

A recent Ponemon Institute survey found identifying a security breach in 2017 took an average of 191 days. This figure is a lower from the 2016 figure of approximately 201 days. The faster a data breach can be identified and contained, the lower the costs. Consequently, the average cost of a data breach decreased 10% and the per-capita cost decreased 2.9%.

The study suggests besides faster identification times this year, a strong U.S. dollar significantly influenced the global cost analysis and contributed to the overall decline in the cost of breaches. Ponemon also attributed these improvements to investments in security technologies such as security analytics, SIEM, enterprise wide encryption and threat intelligence sharing platforms.

What Is Insufficient Logging & Monitoring?

A loose metaphor for this vulnerability is ignoring an orange warning light on the dashboard of your vehicle. While likely to be relatively unimportant, unlike a red light, it would be unwise not to investigate the source of the warning. In addition, most people have their vehicles serviced regularly in case the monitoring system itself is insufficient or has broken down. The same proactive approach should be mandatory for monitoring web application security.

Logging and monitoring provide raw data so you can identify unusual patterns in an application as reported by log files or observed by security monitors. The main problem with the logging process is if your application doesn’t log events, audit reports won’t show it and you won’t be able to monitor those unusual patterns.

Some causes of logging and monitoring failures include:

Unlogged events, e.g., failed logins or high-value transactions

Logs that are not backed up (intruders that access a system will often delete logs to obscure their movements so you won’t be able to backtrack to the source of the intrusion)

Software misconfigurations that fail to alert on apparently unimportant events, e.g., a failed login or a seemingly innocuous read-only event

Obscure error logging without enough details for forensics to follow up on or for administrators to understand the problem

How Do You Detect Insufficient Logging & Monitoring?

When an attacker tries to exploit a vulnerability, they spend a lot of time probing an application or system to find these vulnerabilities. In the event a system doesn’t have sufficient logging and monitoring in place, the attacker is free to leisurely explore for flaws and weaknesses, increasing the chance of successfully finding and exploiting an existing vulnerability. Ideally, you will have monitoring software in place to alert you to this pernicious probing; if not, at the very least you need an intrusion detection mechanism to let you know you have been targeted.

If applications aren’t patched with the latest fixes, vulnerabilities remain open to exploitation. The National Vulnerabilities Database (NVD), managed by the National Institute of Standards and Technology (NIST) is a searchable repository of known security vulnerabilities. We did a search on “Microsoft Word” for vulnerabilities reported in the last three months, and came up with seven matches, including: Microsoft Office 2010, Microsoft Office 2013 and Microsoft Office 2016 allow a remote code execution vulnerability due to the way RTF content is handled (aka the Microsoft Word Memory Corruption Vulnerability). It would be a good idea to keep an eye on this resource and keep software updated.

There are a number of open source intrusion detection tools and frameworks that can help you automate the monitoring of your system:

Nagios: Provides complete management and monitoring of application logs, log files, event logs, service logs and system logs on Windows, Linux and Unix servers. Nagios can manage and monitor these logs and alert you when log patterns are detected.

Splunk: Consolidates log and machine data, including structured, unstructured and complex, multi-line application logs. You can collect, store, index, search, correlate, visualize, analyze and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable and more affordable way.

Fluentd: Decouples data sources from backend systems by providing a logging layer between these and the application’s frontend. It boasts 500+ plugins that connect it to various data sources and outputs — from application frameworks and network protocols to IoT devices to social media applications.

How Do You Prevent Insufficient Logging & Monitoring?

OWASP suggests:

Ensure all login, access control failures and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and are held for sufficient time to allow delayed forensic analysis.

Ensure logs are generated in a format that can be easily consumed by a centralized log management solution.

Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables.

Establish effective monitoring and alerting so suspicious activities are detected and responded to in a timely fashion.

User-friendly tools that can help you create an interface to manage log data:

Nlog: A free logging platform for .NET, NETSTANDARD, Xamarin, Silverlight and Windows Phones. It can process diagnostic messages emitted from any .NET language (C#, VB.NET etc.), and augment them with contextual information (date and time, severity, thread, process or environment).

Nmap: Powerful, free and open source utility for network discovery and security auditing.

httpry: A specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse and log the traffic for later analysis.

Open-AudIT: An application to tell you exactly what is on your network, how it is configured and when it changes.

How Do You Protect Your System From Insufficient Logging & Monitoring?

Some suggestions from Dave Whitelegg at IBM:

Use a separate and dedicated security-hardened server platform to capture and store audit log events.

Use network time synchronization technology to synchronize system clocks. This will also allow automated monitoring tools to analyze patterns of events that occur in real time.

Have strong access control to logs.

Create a formal incident response plan.

Ensure 24/7 monitoring by implementing an alert system for monitoring staff.

Chris Bihary from Tap Into Technology believes human insight is a cool tool to help protect your system. Some tips:

Know your baseline traffic to determine what is not normal.

Identify the presence of unknown/unauthorized IP addresses on wireless networks.

Be wary of multiple failed login attempts for system authentication and event logs.

Follow up on suspicious activity on the network after-hours.

Investigate unexplained system reboots or shutdowns.

Keep an eye on services and applications configured to launch automatically without authorization.

Before you get started, research the standards, methodologies and frameworks you need to proactively defend yourself:

OWASP ModSecurity Core Rule Set (CRS): Set of generic attack detection rules for use withModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top 10.

The Open Source Elastic Stack: Ensures logs are generated in a format that can be easily consumed by a centralized log management solutions, like Elastic Stack, so you can search, analyze and visualize data in real time.

How Can Insufficient Logging & Monitoring Be Leveraged In an Attack?

If critical security information is not logged, there will be no trail for forensic analysis and discovering the source of attacks may be impossible. Just as importantly, when logs are not written, alerts are not issued, and risks turn into real-time breaches.

Scenario 1: A small startup falls victim to a brute force attack to break an employee’s password. Unfortunately, the victim system does not create alerts for failed login attempts so the attacker has plenty of time to keep trying. Finally gaining entry, the hacker, as a delaying tactic, wipes out the internal source code and then downloads personal data relating to employees, suppliers and customers while the organization scrambles to plug security holes.

Scenario 2: In 2013, the German division of Vodafone washacked and the names, addresses, bank account numbers and birth dates of more than 2 million German Vodafone customers were stolen. The attacker was a third-party subcontractor. User action monitoring software could have alerted the company to the fact an insider attack had been launched.

Scenario 3: A user loads some movies from his home USB stick onto his work computer to share with colleagues. Unfortunately, the stick was previously infected by a friend who had given him the stick. Fortunately, basic anti-virus software should pick up the bug; that is if the user’s anti-virus program is up to date. Alerting the security department about failed security breaches can help them implement more stringent controls in the future.

Security Awareness

How Can I Learn More About OWASP Top 10 Vulnerabilities?

Infosec Institute offers secure-coding training modules for developers through its security awareness training platform, SecurityIQ, including a module on insufficient logging and monitoring.

The platform includes training for every vulnerability included in OWASP’s 2017 list, as well as over 300 additional security awareness training modules for all employee levels and roles. Sign up for a free SecurityIQ account to get started today.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

seven − =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam